CloudFrontier – Monitor the internet attack surface

CloudFrontier logo

Monitor the internet attack surface of various public cloud environments. Currently supports AWS, GCP, Azure, DigitalOcean and Oracle Cloud.

Currently supports AWS, GCP, Azure, DigitalOcean and Oracle Cloud.

Contents

  • Setting up
    • Cloud accounts
    • Analyzer services
    • Deployment dependencies
  • Deployment
    • Using a local environment
    • Using Docker
  • Supported resources and services
    • AWS
    • GCP
    • Azure
    • DigitalOcean
    • Oracle Cloud
  • Components
  • Screenshots
  • Roadmap
  • Contributors
  • Contributing
  • License

Setting up

The project is built using multiple serverless services which are to be deployed to AWS using the Serverless framework. For this, you’ll need to configure the credentials of the AWS account to which you want to deploy to.

Once you’ve done that, you can start setting up the cloud accounts you want to scan.

Cloud accounts

Templates for the credentials are available in the credentials directory and have the suffix .example. To create the actual environment/credential file, you can simply create a copy of the template and remove .example from its name.

AWS

Upload the CloudFormation template CloudFrontierAWS.yml to the account whose assets you want to collect. The output of this stack will be an IAM role’s ARN that Cloud Frontier will use to collect the assets. Copy the ARN and paste it in credentials/aws.env.

GCP

To collect assets from your GCP account, you’ll need to create a service account key.

Once you’ve created the key, add it to credentials/gcp.json, and also add the GCP project ID to credentials/gcp.env.

Azure

Obtain or generate the following IDs and secrets from your Azure account and add them to credentials/azure.env.

  • Create application in Azure Active Directory
    1. Select Azure Active directory in the left sidebar
    2. Click on App registrations
    3. Click on Add
    4. Enter the application name, select application type (web app/api) and sign-on URL
    5. Click the create button
  • Get Tenant ID
    1. Select Azure Active directory in the left sidebar
    2. Click properties
    3. Copy the directory ID
  • Get Client ID
    1. Select Azure Active directory in the left sidebar
    2. Click Enterprise applications
    3. Click All applications
    4. Select the application which you have created
    5. Click Properties
    6. Copy the Application ID
  • Get Client secret
    1. Select Azure Active directory in the left sidebar
    2. Click App registrations
    3. Select the application which you have created
    4. Click on All settings
    5. Click on Keys
    6. Type Key description and select the Duration
    7. Click save
    8. Copy and store the key value. You won’t be able to retrieve it after you leave this page
  • Get Subscription ID
    1. Select Subscriptions in the left sidebar
    2. Select whichever subscription is needed
    3. Click on overview
    4. Copy the Subscription ID

DigitalOcean

To collect assets from your DigitalOcean account, you’ll have to create a personal access token and an access key for Spaces.

When you’re creating the access token you only need to select the read scope since that’s all that we require.

Paste the personal access token and the Spaces access key and secret in the credentials/digitalocean.env file.

Oracle Cloud

To access your Oracle Cloud resources and services you need to create a key and get the Orale Cloud Identifiers Required Keys and OCIDs. Paste this API key in credentials/analyzers.env.

Analyzer services

Shodan

To be able to get port scan results for IP addresses from Shodan you’ll need to have an API key, which you can get for free by registering on Shodan. Once you generate the API key, paste it in credentials/analyzers.env.

VirusTotal

In order to get the reputation of an IP address or domain, you must have a VirusTotal account, which can be created for free by registering to VirusTotal Community. Once you generate the API key, paste it in credentials/analyzers.env.

Deployment dependencies

You can setup the deployment environment either locally or using Docker.

Using a local environment

For this you’ll need to have the following installed:

  • Python 3.8
  • Node.js 10.x or later
  • Go 1.x (only if you want to modify and/or rebuild the binaries before deployment)
  • pipenv
  • npm

Once you have these installed, you can run:

npm install --save-dev

You are now ready for deployment!

Using Docker

You just need to build the Docker image from the project’s root directory:

docker build -t cloud-frontier .

You are now ready for deployment!

Deployment

As mentioned in the previous section, Cloud Frontier will be deployed to an AWS account that you have configured, and whose profile name you can pass to the deployment script using the --profile option (the default value for which is default).

Using a local environment

To deploy all the stacks, simply run the deployment script:

./deploy.sh

You can pass the same options to this script as you would to the serverless deploy command, such as --profile--stage--region etc. For example:

./deploy.sh --profile default --stage dev --region us-east-1

Using Docker

Run the following command to deploy the stacks using the Docker image you built:

docker run -v ~/.aws:/root/.aws cloud-frontier

You can pass the same options here as you would to the serverless deploy command, such as --profile--stage--region etc. For example:

docker run -v ~/.aws:/root/.aws cloud-frontier --profile default --stage dev --region us-east-1

Note: the ~/.aws directory is mounted inside the container so that your AWS account profiles can be easily made available to the deployment script that’s running inside the container.

Supported resources and services

AWS

  • API Gateway
  • EC2
  • Elastic Beanstalk
  • Elastic Load Balancers
  • Elasticsearch Service
  • Elasticache
  • RDS
  • S3

GCP

  • Domain Name Service
  • Public IP Address
  • Storage Buckets
  • Forwarding Rules

Azure

  • Content Delivery Network
  • Public IP Addresses
  • Blob

DigitalOcean

  • Domains
  • Floating IPs
  • Spaces
  • Load Balancers

Oracle Cloud

  • DNS Zones
  • Public IP Addresses
  • Storage Buckets

Components

components

Screenshots

Landing page
landing page
Dashboard
dashboard
Asset inventory
assets
Dark mode
darkmode

Roadmap

  • Add authentication using Cognito
  • Perform port scanning of IPs using nmap?

Contributing

We are happy to receive issues and review pull requests. Please make sure to write tests for the code you are introducing and make sure it doesn’t break already passing tests.

License

This project is licensed under the terms of the Apache license.